My hesitation over switching to Ubuntu (and the reason I didn't
switch much sooner) came from seeing bugs over the past half a decade or
so (fewer in the past few years, though) related to how Mozilla was
packaged on Debian, and from looking through the diffs in Debian's
Mozilla packages, and I think Ubuntu's as well. (Ubuntu is based on
Debian.) I saw patches that were obviously written by people who wanted
to fix one particular bug, but didn't particularly understand the code
they were modifying or what else their modifications would break. Given
that, today's security advisories from Debian and
from Ubuntu didn't
surprise me very much. I had a pretty good idea of the tradeoff I was
making when I was switching from Fedora to Ubuntu.

Fedora as a project seems to have a pretty healthy community that, at
a local level (changes to a particular package), strikes a pretty good
balance between getting things to work and doing things right. Their
developers are often good about contributing patches upstream, and are
major contributors to many of the projects that they depend on. I
haven't observed this volume of upstream patches or major contributions
from Debian or Ubuntu. I suspect they attract developers whose patches
are often not good enough to be accepted upstream, and I suspect the
projects nevertheless encourage those developers to fix particular
serious (and sometimes not-so-serious) bugs. However, fixing a set of
serious bugs before shipping is an important part releasing software,
and I don't think Fedora has done this well the past few releases. But
bugs also need to be fixed correctly -- with a good understanding of why
the changes are being made, and what they could break. That often
requires sending the patches upstream to the developers who wrote and
understand the code being patched. This seems to me to be the big
weakness of Debian and Ubuntu (and also occasionally a problem for
Fedora as well, but not as much)

I'd love to see a Linux distribution that is good at both shipping
releases at a high quality bar, and at using only a limited set of
high-quality local patches that are quickly pushed upstream rather than
doing extensive and long-term patching of code that they don't
understand. I haven't found one yet.